Threat Report - July 2025

Casmer Labs, Cloud Storage Security’s (CSS) internal threat laboratory, monitors the dynamic landscape of cybersecurity, cloud security, and particularly cloud data security. Our mission is to ensure that our customers and the public are informed about critical security developments, incidents, and updates.

In our Q2 threat report, the Casmer Labs team anticipated continuing growth in popularity of data breaches, particularly related to cloud misconfigurations, vulnerabilities, and lack of activity monitoring.

Microsoft SharePoint Vulnerability Wreaks Havoc

First detected in mid July 2025, Microsoft SharePoint vulnerabilities CVE-2025-49706 and CVE-2025-49704 has allowed cyber actors to access on-premise SharePoint servers. Spoofing and RCE techniques, corresponding with these vulnerabilities, allowed cyber actors to gain full access to SharePoint content, including file systems and boot configurations. After initial access, cyber actors have been observed by CISA as encrypting files manually and distributing Warlock ransomware throughout the compromised systems.

To prevent and mitigate the effects of this ransomware, CISA and CSS recommends that organizations take the following steps:

• Apply the necessary security updates released by Microsoft.
• Configure Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploy Microsoft Defender AV on all SharePoint servers.
• If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
• Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
• Beyond patching, it is critical for organizations to further investigate systems for signs of exploitation. Malware deployed via .dll payloads in particular are difficult to detect, and can be used to obtain machine keys.
• Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the IIS web server.
• Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.  
• Monitor suspicious requests to the sign-out page: /_layouts/SignOut.aspx is the exact HTTP header used by threat actors to exploit ToolPane.aspx for initial access
• Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Update intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
• Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
• Employ robust cyber hygiene and hardening measures to prepare for, prevent, and mitigate ransomware incidents. For more information, see CISA and partners’ #StopRansomware Guide.
• Audit and minimize layout and admin privileges.

Another Misconfiguration Incident

HireClick, a popular job search platform, has exposed over 5 million resumes as a result of a misconfigured and publicly accessible Amazon S3 bucket. Similar to the majority of the misconfiguration incidents in the first half of 2025, the information compromised by attackers will likely be used to supplement social engineering efforts, including phishing campaigns. 

Some evidence suggests that some of the data has been publicly accessible since as early as 2016. The scope of the leaked information includes:

• Full names
• Phone numbers
• Home addresses
• Email addresses
• Employment details

The HireClick incident comes after a number of similar recent incidents, including another recruitment platform beWanted, which exposed the data of 1.1 million job applications across Europe and Latin America.

DataDefender by Cloud Storage Security proactively checks for over 90 security configuration options over 11 major cloud storage services. Checks are organized by severity, meaning that the most critical misconfigurations, such as publicly accessible Amazon S3 buckets or EBS snapshots, can be remediated before moving on to other issues.

DataDefender by Cloud Storage Security is now accepting applications for the second wave of beta users. Sign up for free by filling out this form.

About Cloud Storage Security

Cloud Storage Security (CSS) offers customers the ability to protect the storage layer in their cloud environments. DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:

• Knows where its sensitive data resides
• Configures their storage resources in a secure manner
• Prevents the ingestion and distribution of malware, including ransomware
• Identifies and stops internal and external attacks against storage, and the data within

The DataDefender beta program is open for applications now. Sign up at cloudstoragesecurity.com/datadefender to request access to the solution.

Cloud Storage Security’s cloud antivirus solution is also available in AWS Marketplace with a 30-day free trial.